Unpacking TrickBot Banker

Source2c4eab037c37b55780cce28e48d930faa60879045208ae4b64631bb7a2f4cb2a

Steps:
(1) Dump the injected process using Immunity Debugger;
(2) Rebase and obtain a TrickLoader‘s injected executable from memory;
(3) Find host-based and network protocol artifacts;
(4) Decode the config finding by advapi.dll’s CryptDecrypt API

<mcconf>
<ver>1000002</ver>
<gtag>tmt2</gtag>
<servs>
<srv>91.219.28.77:443</srv>
<srv>193.9.28.24:443</srv>
<srv>37.1.209.51:443</srv>
<srv>138.201.44.28:443</srv>
<srv>188.116.23.98:443</srv>
<srv>104.250.138.194:443</srv>
<srv>46.22.211.34:443</srv>
<srv>68.179.234.69:443</srv>
<srv>5.12.28.0:443</srv>
<srv>36.37.176.6:443</srv>
<srv>37.109.52.75:443</srv>
<srv>27.208.131.97:443</srv>
</servs>
<autorun>
<modulename=systeminfo ctl=GetSystemInfo/>
<modulename=injectDll/>
</autorun>
</mcconf>

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s